diff --git a/advisories/hackage/xmonad-contrib/HSEC-2023-0003.md b/advisories/hackage/xmonad-contrib/HSEC-2023-0003.md index 1fc84e71..e5fb1a73 100644 --- a/advisories/hackage/xmonad-contrib/HSEC-2023-0003.md +++ b/advisories/hackage/xmonad-contrib/HSEC-2023-0003.md @@ -7,7 +7,7 @@ aliases = ["CVE-2013-1436"] [[affected]] package = "xmonad-contrib" -cvss = "CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P" +cvss = "AV:N/AC:L/Au:N/C:P/I:P/A:P" [[affected.versions]] introduced = "0.5" fixed = "0.11.2" diff --git a/code/cvss/CHANGELOG.md b/code/cvss/CHANGELOG.md index 9a309d74..a084be39 100644 --- a/code/cvss/CHANGELOG.md +++ b/code/cvss/CHANGELOG.md @@ -1,3 +1,7 @@ +# 0.2 + +Changed the CVSS v2 parser and printer to omit the "CVSS:2.0/" version prefix according to the spec. + # 0.1 Introduction diff --git a/code/cvss/cvss.cabal b/code/cvss/cvss.cabal index f9d1fbb1..54ae786b 100644 --- a/code/cvss/cvss.cabal +++ b/code/cvss/cvss.cabal @@ -1,6 +1,6 @@ cabal-version: 2.4 name: cvss -version: 0.1 +version: 0.2 synopsis: Common Vulnerability Scoring System. description: Use this library to parse CVSS string and compute its score. diff --git a/code/cvss/src/Security/CVSS.hs b/code/cvss/src/Security/CVSS.hs index 4feab9a6..5399b752 100644 --- a/code/cvss/src/Security/CVSS.hs +++ b/code/cvss/src/Security/CVSS.hs @@ -108,16 +108,16 @@ data Metric = Metric -- | Parse a CVSS string. parseCVSS :: Text -> Either CVSSError CVSS parseCVSS txt - | "CVSS:3.1/" `Text.isPrefixOf` txt = CVSS CVSS31 <$> validateComponents validateCvss31 - | "CVSS:3.0/" `Text.isPrefixOf` txt = CVSS CVSS30 <$> validateComponents validateCvss30 - | "CVSS:2.0/" `Text.isPrefixOf` txt = CVSS CVSS20 <$> validateComponents validateCvss20 - | otherwise = Left UnknownVersion + | "CVSS:3.1/" `Text.isPrefixOf` txt = CVSS CVSS31 <$> validateComponents True validateCvss31 + | "CVSS:3.0/" `Text.isPrefixOf` txt = CVSS CVSS30 <$> validateComponents True validateCvss30 + | "CVSS:" `Text.isPrefixOf` txt = Left UnknownVersion + | otherwise = CVSS CVSS20 <$> validateComponents False validateCvss20 where - validateComponents validator = do - metrics <- traverse splitComponent components + validateComponents withPrefix validator = do + metrics <- traverse splitComponent $ components withPrefix validator metrics - components = drop 1 $ Text.split (== '/') txt + components withPrefix = (if withPrefix then drop 1 else id) $ Text.split (== '/') txt splitComponent :: Text -> Either CVSSError Metric splitComponent componentTxt = case Text.unsnoc componentTxt of Nothing -> Left EmptyComponent @@ -148,7 +148,7 @@ cvssShow :: Bool -> CVSS -> Text cvssShow ordered cvss = case cvssVersion cvss of CVSS31 -> Text.intercalate "/" ("CVSS:3.1" : components) CVSS30 -> Text.intercalate "/" ("CVSS:3.0" : components) - CVSS20 -> Text.intercalate "/" ("CVSS:2.0" : components) + CVSS20 -> Text.intercalate "/" components where components = map toComponent (cvssOrder (cvssMetrics cvss)) toComponent :: Metric -> Text diff --git a/code/cvss/test/Spec.hs b/code/cvss/test/Spec.hs index 5faccf73..01d48fdf 100644 --- a/code/cvss/test/Spec.hs +++ b/code/cvss/test/Spec.hs @@ -30,7 +30,7 @@ examples = , ("CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", 4.0, CVSS.Medium) , ("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", 9.9, CVSS.Critical) , ("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", 4.2, CVSS.Medium) - , ("CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C", 7.8, CVSS.High) - , ("CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C", 10, CVSS.Critical) - , ("CVSS:2.0/AV:L/AC:H/Au:N/C:C/I:C/A:C", 6.2, CVSS.Medium) + , ("AV:N/AC:L/Au:N/C:N/I:N/A:C", 7.8, CVSS.High) + , ("AV:N/AC:L/Au:N/C:C/I:C/A:C", 10, CVSS.Critical) + , ("AV:L/AC:H/Au:N/C:C/I:C/A:C", 6.2, CVSS.Medium) ] diff --git a/code/hsec-core/hsec-core.cabal b/code/hsec-core/hsec-core.cabal index ac776367..10ceadcd 100644 --- a/code/hsec-core/hsec-core.cabal +++ b/code/hsec-core/hsec-core.cabal @@ -32,7 +32,7 @@ library build-depends: , base >=4.14 && <4.20 , Cabal-syntax >=3.8.1.0 && <3.11 - , cvss >= 0.1 && < 0.2 + , cvss >= 0.2 && < 0.3 , osv >= 0.1 && < 0.2 , pandoc-types >=1.22 && <2 , safe >=0.3 && <0.4 diff --git a/code/hsec-tools/hsec-tools.cabal b/code/hsec-tools/hsec-tools.cabal index 0271c4de..c09a30b8 100644 --- a/code/hsec-tools/hsec-tools.cabal +++ b/code/hsec-tools/hsec-tools.cabal @@ -57,7 +57,7 @@ library , commonmark ^>=0.2.2 , commonmark-pandoc >=0.2 && <0.3 , containers >=0.6 && <0.7 - , cvss >= 0.1 && < 0.2 + , cvss >= 0.2 && < 0.3 , data-default >=0.7 && <0.8 , directory <2 , extra ^>=1.7.5 diff --git a/code/hsec-tools/test/Spec/FormatSpec.hs b/code/hsec-tools/test/Spec/FormatSpec.hs index ac71098b..5aac95e6 100644 --- a/code/hsec-tools/test/Spec/FormatSpec.hs +++ b/code/hsec-tools/test/Spec/FormatSpec.hs @@ -91,9 +91,9 @@ genCVSS = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", - "CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:C", - "CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:C/A:C", - "CVSS:2.0/AV:L/AC:H/Au:N/C:C/I:C/A:C" + "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "AV:N/AC:L/Au:N/C:C/I:C/A:C", + "AV:L/AC:H/Au:N/C:C/I:C/A:C" ] genCAPEC :: Gen.Gen CAPEC diff --git a/code/osv/osv.cabal b/code/osv/osv.cabal index 3a28a997..19ea11ea 100644 --- a/code/osv/osv.cabal +++ b/code/osv/osv.cabal @@ -33,7 +33,7 @@ library build-depends: , aeson >=2.0.1.0 && <3 , base >=4.14 && <4.20 - , cvss >= 0.1 && < 0.2 + , cvss >=0.2 && <0.3 , text >=1.2 && <3 , time >=1.9 && <1.14